Virtual Patching: Lower Security Risks and Costs - Trend Micro
Virtual Patching: Lower Security Risks and Costs - Trend Micro
Virtual Patching: Lower Security Risks and Costs - Trend Micro
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Virtual</strong> <strong>Patching</strong>: <strong>Lower</strong><br />
<strong>Security</strong> <strong>Risks</strong> <strong>and</strong> <strong>Costs</strong><br />
A <strong>Trend</strong> <strong>Micro</strong> White Paper, 2012<br />
<strong>Trend</strong> <strong>Micro</strong> Deep <strong>Security</strong><br />
<strong>Trend</strong> <strong>Micro</strong>, Incorporated<br />
» Hundreds of software vulnerabilities are exposed each month, <strong>and</strong> timely patching is<br />
expensive, prone to error <strong>and</strong> often impossible. <strong>Trend</strong> <strong>Micro</strong> virtual patching solutions<br />
deliver immediate protection while eliminating the operational pains of emergency<br />
patching, frequent patch cycles, <strong>and</strong> costly system downtime.<br />
A <strong>Trend</strong> <strong>Micro</strong> White Paper | March 2012
TABLE OF CONTENTS<br />
Introduction 3<br />
Patch Management Today 3<br />
System Vulnerabilities Are Everywhere 5<br />
A New Approach: <strong>Virtual</strong> <strong>Patching</strong> 8<br />
How Deep <strong>Security</strong> Works 9<br />
Why <strong>Trend</strong> <strong>Micro</strong> 11<br />
Conclusion 12<br />
References 13<br />
Page 2 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
INTRODUCTION<br />
Patch management for vulnerability remediation can be a painful exercise for IT departments. If<br />
it were easy, patch release <strong>and</strong> deployment would be predictable events <strong>and</strong> vulnerabilities<br />
would be addressed within acceptable timeframes. Instead, emergency patches persist, IT<br />
staffs scramble to deploy them, <strong>and</strong> security officers brace themselves for the worst case—a<br />
data breach or unplanned system downtime. Beyond emergency patches, predictable events<br />
such as planning to maintain security for out-of-support (OOS) enterprise software pose an<br />
added challenge. For such systems, ongoing security patches cease, forcing IT operations to<br />
choose between expensive support contracts or accept the risk of exploits targeted at OOS<br />
systems with unpatchable vulnerabilities. And some systems are inherently difficult to patch<br />
such as point-of-sale devices, kiosks, <strong>and</strong> medical or other embedded devices. Yet these<br />
devices may be critical to the business.<br />
This white paper reviews enterprise challenges with security patch management including risks<br />
to various areas of IT—security, compliance, operations, <strong>and</strong> budgets. It discusses how<br />
traditional approaches to remediating vulnerable systems can create new problems <strong>and</strong><br />
provides a new model that keeps pace with the ever-increasing number of attack vectors.<br />
<strong>Trend</strong> <strong>Micro</strong> Deep <strong>Security</strong> offers ”virtual patching,” which shields vulnerabilities in critical<br />
systems until an actual patch is available <strong>and</strong> deployed—or as permanent protection in the case<br />
of OOS or other unpatchable systems. Deep <strong>Security</strong>’s virtual patching lowers costs by<br />
preventing the need for emergency patching, frequent patch cycles, <strong>and</strong> system downtime as<br />
well as reducing the risk of breach disclosure expenses. It even avoids expensive support<br />
contracts for OOS systems by eliminating the need for customized patches <strong>and</strong> helping to<br />
extend the life of legacy systems <strong>and</strong> applications. Deep <strong>Security</strong>’s virtual patching mitigates<br />
risk across network topologies, platforms, <strong>and</strong> applications—including commonly targeted Web<br />
applications—<strong>and</strong> enables enterprises to maintain regulatory compliance, including necessary<br />
logging <strong>and</strong> reporting capabilities.. Designed to provide comprehensive protection for all<br />
servers—physical, virtual, <strong>and</strong> cloud—as well as endpoints, Deep <strong>Security</strong> gives you a timely,<br />
cost-effective complement to traditional patching processes that can significantly lower costs,<br />
reduce disruptions, <strong>and</strong> give you greater control over the scheduling of patches.<br />
PATCH MANAGEMENT TODAY<br />
The primary goal of software patching is to keep operating systems <strong>and</strong> applications working<br />
smoothly <strong>and</strong> securely. For widely used systems such as <strong>Micro</strong>soft SQL Server or Windows 7,<br />
the process is relatively predictable, but life gets significantly more complex when older<br />
applications, custom development, <strong>and</strong> out-of-support operating systems enter the picture. Add<br />
budget constraints that restrict migrating away from OOS platforms or remediating supported<br />
platforms <strong>and</strong> a hacker community eager to exploit unpatched system vulnerabilities, <strong>and</strong> you<br />
have a situation ripe for disaster, or at least a nasty note from auditors.<br />
Page 3 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
COMPLEXITIES OF THE TYPICAL PATCH DEPLOYMENT PROCESS<br />
The mere availability of a patch does not give IT a green light to deploy it across all business<br />
systems. Even the very predictable “<strong>Micro</strong>soft Patch Tuesday” releases are scrutinized every<br />
month by IT organizations to ensure that the risks are actually addressed without breaking<br />
existing applications. Typically, patch management follows a structured process that includes 1 :<br />
• Obtain the patch from a trusted party <strong>and</strong> check the integrity of both the patch<br />
<strong>and</strong> the patch source<br />
• Test the patch to ensure the vulnerability is remediated <strong>and</strong> the patch will not<br />
break other applications<br />
• Notify affected parties of any necessary scheduled downtime to apply the patch<br />
• Deploy the patch to all affected systems<br />
• Recheck operational efficiency of patched systems <strong>and</strong> remediate as required<br />
The complexity <strong>and</strong> frequent time-critical nature of even predictable patching before a<br />
vulnerability is actually exploited is a significant burden on IT operations <strong>and</strong> consigns them to a<br />
state of reactivity <strong>and</strong> continuous catch-up. Against this backdrop, it is hardly surprising that<br />
almost one third of security survey respondents said their organization devotes a great deal of<br />
time <strong>and</strong> staff resources to patch management—the highest response across all IT security<br />
tasks listed. Yet only 22% found their patch management to be very effective 2 . With the<br />
complexity of patch management, corners may be cut, risks may persist, <strong>and</strong> proactive IT<br />
projects may languish.<br />
KNOWING THE RISKS: RISK WINDO DURING THE TIME FROM VULNERABILITY DISCOVERY TO<br />
PATCH RELEASE PATCH DEPLOYMENT<br />
The gap between discovering the vulnerability (or being notified of a critical security patch) <strong>and</strong> when<br />
appropriate patches are deployed to all production systems can extend for weeks or even months. The<br />
challenge is not getting easier over time, with the National Vulnerability Database reporting over 4,150<br />
software vulnerabilities in 2011 5 . The time it takes to test patches for these vulnerabilities <strong>and</strong> role them<br />
out to all applicable systems creates an extended risk window.<br />
And security concerns over delays in patching systems are well founded. In 2011, malware was<br />
responsible for 95% of all data records stolen, <strong>and</strong> 94% of data breaches involved the confidentiality <strong>and</strong><br />
integrity of servers 4 . Attackers can repeatedly leverage the same system vulnerability <strong>and</strong> continue to<br />
get results as systems remain unpatched or unpatchable. Buying time to manage the window between<br />
when a vulnerability is discovered <strong>and</strong> a patch can be deployed, while still remaining secure, is a critical<br />
element in maintaining an adequate security posture.<br />
REGULATROY COMPLIANCE<br />
Regulatory compliance also impacts patch management. In addition to the specific timeliness<br />
requirements of the PCI regulations 3 , periodic audits to ensure up-to-date patches on critical<br />
systems—ones that store or process regulated data—must be undertaken to comply with<br />
internal IT governance as well as many external data protection industry regulations.<br />
Page 4 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
REGULATROY COMPLIANCE<br />
Beyond the predictable nature of “Patch Tuesday”—<strong>and</strong> its constant companion “Exploit<br />
Wednesday”— as well as regulatory compliance requirements, multiple additional factors must<br />
be borne in mind when implementing patch management programs:<br />
• Emergency patches that must be applied immediately, with consequent<br />
downtime, overhead, <strong>and</strong> cost<br />
• The operational challenge of patching virtualized systems <strong>and</strong> the rapid growth in the<br />
use of such systems<br />
• Increasing frequency of zero-day attacks <strong>and</strong> attacks targeted at specific<br />
industries <strong>and</strong> platforms<br />
• Ongoing consolidation of vendors <strong>and</strong> consequent disruption of patch<br />
development <strong>and</strong> distribution<br />
• Growing use of “unpatchable” POS systems, ATMs, <strong>and</strong> embedded systems as a<br />
vector for malware delivery<br />
SYSTEM VULNERABILITIES ARE EVERYWHERE<br />
Patch management is both a solution <strong>and</strong> a source of frustration, so why do IT security policies<br />
continue to m<strong>and</strong>ate timely <strong>and</strong> accurate patching of vulnerable systems The answer is that,<br />
short of rewriting the original source code, patches are the most targeted way in which to<br />
remediate software vulnerabilities in specific operating systems <strong>and</strong> applications. However,<br />
there are also systems that are unpatchable either because they are OOS or non-typical<br />
systems. Whether patchable or unpatchable, enterprises need to shield known <strong>and</strong> unknown<br />
vulnerabilities in a broad range of critical applications <strong>and</strong> systems that are being targeted by<br />
cybercriminals.<br />
ENTERPRISE APPLICATIONS<br />
In 2011, 1,821 critical software flaw vulnerabilities (i.e., Common Vulnerabilities & Exposures<br />
(“CVE”): Score 7-10, high severity 6 ) were reported in operating systems, databases, servers,<br />
<strong>and</strong> other applications, according to the US National Institute of St<strong>and</strong>ards <strong>and</strong> Technology<br />
(NIST) 7 . This equals seven critical vulnerabilities per business day. <strong>Patching</strong> these<br />
vulnerabilities can be disruptive <strong>and</strong> time consuming, requiring systems to be rebooted <strong>and</strong><br />
impacting service level agreements. Even when a patch is available, it can take weeks or even<br />
months before the patch can be fully deployed because of internal testing <strong>and</strong> the time required<br />
to deploy the patch across all applicable endpoints.<br />
LEGACY WEB APPLICATIONS<br />
Some vulnerabilities are caused by misconfigured systems, while others may be due to coding<br />
flaws in custom-built <strong>and</strong> legacy web applications. In the former case, manual intervention may<br />
be required; in the latter case, developers with the necessary subject matter expertise may not<br />
be available to fix the application, as was the case with Y2K <strong>and</strong> COBOL.<br />
In large organizations (1000 employees <strong>and</strong> greater), web applications serve as a popular threat<br />
vector responsible for 54% of breaches in 2011 8 . Web applications are particularly vulnerable<br />
Page 5 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
ecause they are inherently open <strong>and</strong> accessible to attackers. In addition, content <strong>and</strong><br />
functionality are increasingly complex <strong>and</strong> programmers are often untrained in secure software<br />
development practices. Perimeter security will not shield these systems <strong>and</strong> it can be difficult to<br />
locate <strong>and</strong> assign the custom development resources necessary to fix the code.<br />
UNPATCHABLE SYSTEMS<br />
Unattended or embedded systems such as point-of-sale systems, kiosks <strong>and</strong> medical devices<br />
are often considered unpatchable despite significant levels of vulnerability. Often, low-b<strong>and</strong>width<br />
connections with remote locations make deploying large patches prohibitively time-consuming<br />
or expensive. At other times, regulations or service level agreement uptime requirements may<br />
preclude such systems from being patched.<br />
UNSUPPORTED OPERATING SYSTEMS AND APPLICATIONS<br />
Clearly no software application will be supported in perpetuity; every IT manager has at some<br />
time received an End of Life (EOL) announcement, which specifies a date after which a<br />
particular program will be out-of-support (OOS) <strong>and</strong> no further patches will be issued except by<br />
special (<strong>and</strong> costly) individual agreements. Often, the time <strong>and</strong> cost required to migrate to a<br />
newer version is simply too high, <strong>and</strong> organizations need a more immediate, cost-effective<br />
solution.<br />
KNOWING THE RISKS: VULNERABILITIES ON UNSUPPORTED<br />
SYSTEMS<br />
Even with an organized end-of-life process, many organizations appear to be<br />
caught off guard or unprepared for the inevitability of OOS software. And<br />
those who do research the options find that those options often bring their<br />
own share of challenges. Ignoring the risks associated with the continued<br />
use of unpatched OOS systems is not wise for many reasons, not the least<br />
of which is that newer, supported platforms often share code with earlier<br />
releases. A new exploit on a supported platform can also affect an older<br />
OOS system that shares its code.<br />
An OOS system that is still frequently used by organizations is <strong>Micro</strong>soft<br />
Windows 2000, which was designated OOS on July 13, 2010. Even a few<br />
Windows 2000 installations left “live” on a network can be exploited by savvy<br />
hackers who see Windows 2000 as an easy entry point long after Windows<br />
XP patches have been deployed. If operating system migration has not yet<br />
been completed, enterprises with these systems are at risk. As soon as the<br />
next Windows XP vulnerability is announced <strong>and</strong> a patch is released, the<br />
clock will start ticking until an exploit targets this same vulnerability on<br />
Windows 2000. And once the attacks start, they are unlikely to stop because<br />
there will be nothing there to stop them.<br />
The Perfect Storm - Windows 2000<br />
After July 13, 2010<br />
• Vulnerability announced for<br />
Windows XP<br />
• Hackers start writing exploits<br />
based on this XP vulnerability<br />
• Some exploits are successful<br />
before XP patch release<br />
• Patched XP systems are<br />
protected, 2000 systems<br />
continue to be vulnerable <strong>and</strong><br />
attacked indefinitely<br />
Undesirable Options for Addressing<br />
Out of Support (OOS) Systems<br />
• Ignoring the associated risks<br />
• Eliminating these systems<br />
• Purchasing custom support<br />
contracts<br />
• Isolating them on the network<br />
• Hardening systems<br />
• Application whitelisting<br />
Page 6 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
KNOWING THE RISKS: VULNERABILITIES ON UNSUPPORTED SYSTEMS (CONT.)<br />
UNDESIRABLE APPROACHES TO MANAGING THE RISKS<br />
1. Custom Support Agreements for OOS Systems (continued)<br />
In the name of “customer service,” vendors may offer custom <strong>and</strong> extended support agreements for OOS<br />
software which entitle customers to emergency security patches. However, such agreements are<br />
frequently cost-prohibitive for all but the largest organizations; Windows 2000 Custom Support<br />
Agreements started at $50,000 per quarter 9 in 2010, <strong>and</strong> these agreements tend to get more expensive<br />
over time as the operating system gets older. For example, OOS contracts for Windows NT v4 exceeded<br />
$1 million by 2009 10 . Not unsurprisingly, many enterprises find such costs to be unpalatable, driving them<br />
to find alternative methods to mitigate the risk or, in some cases, accept the risk of a potential<br />
compromise. Acquisitions bring their own complexity to the extended support contract. For example,<br />
when Oracle acquired Sun, Sun’s customers were required to renew their support contracts with Oracle<br />
to receive patches; a similar situation occurred when Oracle acquired middleware vendor BEA Systems.<br />
2. Isolation<br />
One approach to managing risks associated with OOS software might be to make such systems hard for<br />
hackers to reach. Isolating these systems on separate networks or VLANs adds a layer of difficulty that<br />
hackers may decide is simply too much trouble. However, network isolation may not be practical for<br />
essential business systems, <strong>and</strong> therein lies the conundrum. Making OOS systems hard to reach adds a<br />
layer of security but may also prevent them from being used effectively, obviating the reason for retaining<br />
them in the first place.<br />
3. System Hardening<br />
Hardening OOS systems (e.g., removing unnecessary services, user accounts) may appear to be an<br />
acceptable way to minimize risk. However, authorized users will still need access to these systems, so<br />
restricting user accounts alone may not be practical for business reasons. Hardening through removal of<br />
unnecessary services <strong>and</strong> ports is not trivial when business applications are designed to run on generalpurpose<br />
operating systems with a variety of application services <strong>and</strong> ports (e.g. RPC ports, web<br />
services), <strong>and</strong> may break the application. Restricting application ports may also render stateful packetfiltering<br />
firewalls ineffective, since many applications dynamically allocate ports as needed.<br />
4. Application Whitelisting<br />
Whitelisting OOS applications could potentially enable IT to be alerted if malware has affected<br />
<strong>and</strong> made changes to such an application, but does not remove the problem of dealing with such<br />
an event when identified. Using whitelisting to instead permit only the use of explicitly-authorized<br />
software on an OOS system is conceptually sound, but in practice would likely prove<br />
unmanageable; IT would need to update signatures for authorized executables <strong>and</strong> upload them<br />
into the whitelisting system every time one of those executables was patched.<br />
While enterprises should plan for the eventual elimination of OOS systems, such plans are<br />
frequently dogged by budgetary constraints or technical limitations. Businesses need to be able to<br />
migrate away from OOS systems on their schedule while, in the meantime, effectively <strong>and</strong><br />
inexpensively maintaining the security of these OOS systems.<br />
Page 7 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
A NEW APPROACH: VIRTUAL PATCHING<br />
The dual challenge of vulnerability risks <strong>and</strong> patch management is clearly<br />
not being adequately met by traditional solutions. <strong>Trend</strong> <strong>Micro</strong>’s answer<br />
to the unwinnable challenge of patching unpatchable systems is Deep<br />
<strong>Security</strong> <strong>Virtual</strong> <strong>Patching</strong>, a non-disruptive “vulnerability shield” that<br />
protects systems during the risk window—<strong>and</strong> beyond.<br />
DEEP SECURITY: A COST-EFFECTIVE COMPLEMENT TO<br />
PATCH MANAGEMENT<br />
<strong>Trend</strong> <strong>Micro</strong> Deep <strong>Security</strong> shields vulnerabilities in critical systems until<br />
a patch is available <strong>and</strong> deployed, in place of a future patch that may<br />
never materialize, or to protect systems that are unpatchable. In each<br />
instance, enterprises get a timely, cost-effective complement to<br />
traditional patching processes that can significantly lower costs, reduce<br />
disruptions, <strong>and</strong> provide greater control over the scheduling of patches.<br />
Designed to provide comprehensive protection for all servers—physical,<br />
virtual, <strong>and</strong> cloud—as well as endpoints, Deep <strong>Security</strong> can be deployed<br />
as an agent on a physical or virtual machine, or as a virtual appliance on<br />
a VMware ESX server to protect guest virtual machines using agentless<br />
security. Deep <strong>Security</strong> coordinates several elements of the solution to<br />
provide virtual patching protection.<br />
When Interviewed 11 , Deep<br />
<strong>Security</strong> Customers Said,<br />
• “<strong>Virtual</strong> patching in Deep<br />
<strong>Security</strong> ‘has been the single<br />
biggest benefit’ we have<br />
experienced with the<br />
solution.”<br />
• “We would absolutely<br />
recommend Deep <strong>Security</strong> –<br />
we don’t know of any other<br />
products that can provide<br />
integrated server security.”<br />
1. Intrusion Detection <strong>and</strong> Prevention (IDS / IPS)<br />
If a hacker locates a vulnerability, he may try to exploit it. Deep <strong>Security</strong> Intrusion Detection <strong>and</strong><br />
Prevention (IDS/IPS) rules shield against known vulnerabilities—for example those disclosed on<br />
<strong>Micro</strong>soft Patch Tuesday—from being exploited. The Deep Packet Inspection (DPI) engine<br />
leverages proprietary rules that protects network traffic in layers 2-7. These rules are used to<br />
protect unpatched, network-facing system resources <strong>and</strong> enterprise applications. Deep <strong>Security</strong><br />
includes out-of-the-box vulnerability protection for over 100 applications, including database,<br />
web, email <strong>and</strong> FTP servers. In addition, IDS/IPS rules also provide zero-day protection for<br />
known vulnerabilities that have not been issued a patch, <strong>and</strong> unknown vulnerabilities using<br />
smart rules that apply behavior analysis <strong>and</strong> self learning to block new threats.<br />
Vulnerability shielding leverages the Deep <strong>Security</strong> IDS/IPS rules <strong>and</strong> requires updating when<br />
new vulnerabilities are announced. However, rather than relying on a new software patch for<br />
protection, the existing Deep <strong>Security</strong> engine is already at work, checking for updates to<br />
IDS/IPS rules <strong>and</strong> automatically applying them to applicable systems.<br />
2. Recommendation Scanning<br />
Recommendation scanning streamlines security update management by automatically<br />
recommending which rules need to be deployed to protect a given system. Deep <strong>Security</strong> scans<br />
the system to identify which IDS/IPS rules need to be deployed to optimize protection based on<br />
the OS version, service pack, patch level, <strong>and</strong> installed applications. In addition, as the server<br />
Page 8 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
environment changes <strong>and</strong> patches are deployed, Deep <strong>Security</strong> automatically recommends<br />
which rules can be removed to minimize resource utilization.<br />
3. <strong>Security</strong> Updates<br />
<strong>Security</strong> updates from a dedicated team of security experts ensure the latest protection by<br />
continuously monitoring multiple sources of vulnerability disclosure information to identify <strong>and</strong><br />
correlate new relevant threats <strong>and</strong> vulnerabilities. This includes more than 100 sources such as<br />
SANS, CERT, Bugtraq, VulnWatch, PacketStorm, <strong>and</strong> Securiteam. <strong>Trend</strong> <strong>Micro</strong> is also a<br />
member of <strong>Micro</strong>soft Active Protections Program receiving vulnerability information from<br />
<strong>Micro</strong>soft in advance of their monthly security bulletins. This makes it possible for <strong>Trend</strong> <strong>Micro</strong> to<br />
anticipate emerging threats <strong>and</strong> provide more timely protection. <strong>Trend</strong> <strong>Micro</strong> responds to<br />
advisories <strong>and</strong> security updates in addition to out-of-b<strong>and</strong> security patches typically associated<br />
with zero day threats.<br />
4. Web Application Protection<br />
Web application protection rules defend against SQL injections attacks, cross-site scripting<br />
attacks, <strong>and</strong> other web application vulnerabilities, shielding these vulnerabilities until code fixes<br />
are completed. <strong>Security</strong> rules enforce protocol conformance <strong>and</strong> use heuristic analysis to<br />
identify malicious activity.<br />
5. Enterprise-grade, Bi-directional, <strong>and</strong> Stateful Firewall<br />
An enterprise-grade, bi-directional, <strong>and</strong> stateful firewall allows communications over ports <strong>and</strong><br />
protocols necessary for correct server operation <strong>and</strong> blocks all other ports <strong>and</strong> protocols. This<br />
reduces the risk of unauthorized access to the server.<br />
6. Protection for Physical, <strong>Virtual</strong>, <strong>and</strong> Cloud Computing Environments<br />
Deep <strong>Security</strong> ensures that vulnerabilities are shielded, no matter how the hosts are deployed.<br />
In addition to providing guest-based protection, Deep <strong>Security</strong> leverages VMware APIs to<br />
provide agentless protection, maximizing deployment flexibility.<br />
HOW DEEP SECURITY WORKS<br />
Deep <strong>Security</strong> provides virtual patching through its vulnerability shielding capabilities outlined in<br />
the section above, but this is only one aspect of the protection it provides. This comprehensive<br />
server security platform delivers adaptive, highly efficient agentless <strong>and</strong> agent-based protection,<br />
including anti-malware, intrusion detection <strong>and</strong> prevention, firewall, web application protection,<br />
application control, integrity monitoring, <strong>and</strong> log inspection.<br />
The platform ensures server, application, <strong>and</strong> data security across physical, virtual, <strong>and</strong> cloud<br />
servers, as well as virtual desktops protecting businesses from breaches <strong>and</strong> business<br />
disruptions without emergency patching. The solution consists of the Deep <strong>Security</strong> <strong>Virtual</strong><br />
Appliance, Deep <strong>Security</strong> Agent, Deep <strong>Security</strong> Manager, <strong>and</strong> the <strong>Security</strong> Center.<br />
DEEP SECURITY VIRTUAL APPLIANCE<br />
Deep <strong>Security</strong> can be provided as a dedicated security virtual appliance on VMware vSphere<br />
virtual machines. The virtual appliance integrates with vShield Endpoint <strong>and</strong> other VMware<br />
Page 9 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
APIs to offer agentless antimalware, file integrity monitoring, IDS/IPS, web application<br />
protection, application control, <strong>and</strong> firewall protection—while also coordinating with Deep<br />
<strong>Security</strong> Agent, if desired, for log inspection. Also the Deep <strong>Security</strong> Agent can be deployed on<br />
each physical or virtual server in lieu of using the dedicated virtual appliance / agentless security<br />
approach. <strong>Trend</strong> <strong>Micro</strong> customers have the flexibility to mix agentless <strong>and</strong> agent-based<br />
configurations to best secure their unique server environments.<br />
DEEP SECURITY AGENT<br />
The Deep <strong>Security</strong> Agent is a small software component that is deployed on the server or virtual<br />
machine being protected <strong>and</strong> which enforces the security policy. This is a single security agent<br />
that integrates all of the Deep <strong>Security</strong> modules being used, streamlining deployment <strong>and</strong><br />
management.<br />
For virtual patching, the Deep <strong>Security</strong> Agent integrates with the system's network driver (stack)<br />
to evaluate network packets against Deep <strong>Security</strong> rules. Should the rules engine identify an<br />
exploit, the network connection is dropped to terminate <strong>and</strong> prevent the attack.<br />
DEEP SECURITY MANAGER<br />
The Deep <strong>Security</strong> Manager enables administrators to create security profiles <strong>and</strong> apply them to<br />
servers—across physical, virtual, <strong>and</strong> cloud server deployments. It has a centralized console for<br />
monitoring alerts <strong>and</strong> preventive actions taken in response to threats, <strong>and</strong> can be configured to<br />
automate or distribute security updates to servers on dem<strong>and</strong>. The Manager can be used to<br />
generate reports to gain visibility into activity to meet compliance requirements. Event Tagging<br />
functionality streamlines the management of high-volume events <strong>and</strong> enables workflow of<br />
incident response.<br />
SECURITY CENTER<br />
The <strong>Security</strong> Center is a dedicated team of security experts who help customers stay ahead of<br />
the latest threats by rapidly developing <strong>and</strong> delivering security updates that address newly<br />
discovered vulnerabilities. The <strong>Security</strong> Center takes into careful consideration the large number<br />
of vulnerabilities (dating back over 10 years) <strong>and</strong> primarily focuses maintenance on<br />
vulnerabilities from 2006 to present. Considerations include system resource management,<br />
attack probability, <strong>and</strong> vulnerability age. While Deep <strong>Security</strong> does protect against some<br />
vulnerabilities dating as far back as 2001, <strong>Trend</strong> <strong>Micro</strong>’s position is to focus on the most relevant<br />
<strong>and</strong> current threat probabilities.<br />
As there are a wide range of operating systems <strong>and</strong> applications in use within enterprises,<br />
<strong>Trend</strong> <strong>Micro</strong> focuses its protection on the operating systems <strong>and</strong> commonly used applications<br />
most relevant to its customers, based on analysis <strong>and</strong> on-going customer feedback. This<br />
includes out-of-box protection for over 100 applications.<br />
<strong>Trend</strong> <strong>Micro</strong> <strong>Security</strong> Center has released 17,000+ rules to date. These rules provide networkbased<br />
detection <strong>and</strong> prevention. This non-intrusive network IDS/IPS approach ensures critical<br />
systems <strong>and</strong> applications maintain operational availability goals while preventing attacks until<br />
patches can be deployed during scheduled patch maintenance, or in lieu of a patch when a<br />
patch is not available.<br />
Page 10 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
KNOWING THE RISKS: DEEP SECURITY VIRTUAL PATCHING IMMEDIATELY MITIGATES RISKS<br />
1. <strong>Micro</strong>soft Critical Vulnerability MS12-020: Remote Desktop Protocol Vulnerability<br />
On Tuesday, March 13, 2012 (Patch Tuesday), <strong>Micro</strong>soft released the <strong>Security</strong> Update MS12-020. The<br />
vulnerability associated to this patch was rated as “critical” <strong>and</strong> affects all versions of Windows (servers<br />
<strong>and</strong> desktops) in which RDP service is “on.” The vulnerability could allow an attacker to install<br />
programs; view, change, or delete data; or create new accounts with full user rights. Also exploits<br />
could potentially act as worms because the vulnerability could enable unauthenticated, network-based<br />
exploits. With the security update, <strong>Micro</strong>soft stated that there was a high likelihood that attempts to<br />
exploit the vulnerability would occur in the following 30 days.<br />
The Power of <strong>Virtual</strong> <strong>Patching</strong>: Deep <strong>Security</strong> Customers Automatically Shielded<br />
As a member of the <strong>Micro</strong>soft Active Protections Program, <strong>Trend</strong> <strong>Micro</strong> received advance information<br />
about Vulnerability MS12-020, enabling the release of Deep <strong>Security</strong> Update DSRUI12-006 to protect<br />
against the vulnerability on the same day the <strong>Micro</strong>soft <strong>Security</strong> Update was announced, March 13,<br />
2012. This Deep <strong>Security</strong> Update provided immediate vulnerability shielding against any exploits<br />
leveraging this vulnerability. Deep <strong>Security</strong> customers were instantly protected, allowing them to roll<br />
out the Windows patch during regularly scheduled maintenance <strong>and</strong> avoiding emergency patching <strong>and</strong><br />
unscheduled downtime.<br />
2. Protection against Conficker<br />
Deep <strong>Security</strong> customers were protected against attacks that targeted critical vulnerabilities discovered<br />
in <strong>Micro</strong>soft Windows 2000, Windows XP, <strong>and</strong> Windows Server 2003 (MS08-067) the same day the<br />
vulnerability was announced, <strong>and</strong> weeks before the first Conficker exploits took advantage of these<br />
vulnerabilities.<br />
WHY TREND MICRO<br />
As the largest pure-play security provider with over 20 years of experience <strong>and</strong> the recognized<br />
leader in server 12 , virtualization 13 , <strong>and</strong> cloud security 14 , <strong>Trend</strong> <strong>Micro</strong> is uniquely positioned to<br />
help businesses make the most of virtualization <strong>and</strong> cloud computing. As part of this expertise,<br />
<strong>Trend</strong> <strong>Micro</strong> is a leading VMware security partner, providing <strong>Trend</strong> <strong>Micro</strong> Deep <strong>Security</strong> as the<br />
first partner solution designed specifically to:<br />
• Integrate with vShield Endpoint APIs<br />
• Integrate with other VMware APIs for network-level protection<br />
• Deliver agentless anti-malware—available since 2010<br />
• Deliver multiple agentless security options<br />
<strong>Trend</strong> <strong>Micro</strong> provides a unique virtual patching solution that leverages the distinctive framework<br />
of Deep <strong>Security</strong>. Multiple security modules are offered in either agentless or agent-based<br />
Page 11 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
configurations for flexible deployment options—all on one security platform. Deep <strong>Security</strong> is<br />
the only solution that integrates this breadth of server security, enabling the coordinate of<br />
multiple security technologies for a highly-effective virtual patching solution.<br />
CONCLUSION<br />
<strong>Trend</strong> <strong>Micro</strong> Deep <strong>Security</strong> provides advanced protection for servers in the dynamic datacenter,<br />
whether physical, virtual or in the cloud. Deep <strong>Security</strong> combines antimalware, intrusion<br />
detection <strong>and</strong> prevention, firewall, integrity monitoring, web application protection, application<br />
control, <strong>and</strong> log inspection capabilities in a single, centrally managed software agent or with<br />
agentless security options for VMware virtual <strong>and</strong> cloud environments.<br />
Deep <strong>Security</strong> enables IT operations to better manage systems <strong>and</strong><br />
improve compliance by protecting vulnerable systems by extending the<br />
timeframe available to IT operations to deploy patches, or for Out-of-<br />
Support or unpatchable systems through protection in place of a patch.<br />
Deep <strong>Security</strong> protects confidential data <strong>and</strong> critical applications to help<br />
prevent data breaches <strong>and</strong> ensure business continuity, while enabling<br />
compliance with important st<strong>and</strong>ards <strong>and</strong> regulations such as PCI, FISMA<br />
<strong>and</strong> HIPAA. Whether implemented as software, virtual appliance, or in a<br />
hybrid approach, this solution equips enterprises to identify suspicious<br />
activity <strong>and</strong> behavior, <strong>and</strong> take proactive or preventive measures to<br />
ensure the security of the datacenter.<br />
Used in conjunction with traditional patch management solutions, <strong>Trend</strong><br />
<strong>Micro</strong> Deep <strong>Security</strong> adds an essential extra layer of protection for the<br />
enterprise’s most vulnerable systems.<br />
Complementary <strong>Virtual</strong> <strong>Patching</strong><br />
Protection for Clients<br />
<strong>Trend</strong> <strong>Micro</strong> OfficeScan provides clientlevel<br />
security for physical <strong>and</strong> virtual<br />
desktops <strong>and</strong> offers the Intrusion Defense<br />
Firewall plug-in for client virtual patching.<br />
The plug-in delivers a network-level Host<br />
Intrusion Prevention System (HIPS) <strong>and</strong><br />
shields vulnerabilities in Operating<br />
Systems <strong>and</strong> common client applications,<br />
delivering true zero-day protection from<br />
known <strong>and</strong> unknown threats. For more<br />
information on <strong>Trend</strong> <strong>Micro</strong> OfficeScan,<br />
Intrusion Defense Firewall plug in, visit<br />
http://www.trendmicro.com/officescan.<br />
FOR MORE INFORMATION ON DEEP SECURITY<br />
Please call us at +1-877-21-TREND or visit http://www.trendmicro.com/deepsecurity.<br />
Page 12 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover
REFERENCES<br />
1 Mell, P., Bergeron, T., & Henning, D. (November 2005). Creating a Patch <strong>and</strong> Vulnerability Management Program:<br />
Recommendations of the National Institute of St<strong>and</strong>ards <strong>and</strong> Technology (NIST). Special Publication 800-40 Version<br />
2.0. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf.<br />
2 Davis, M. (May 2011). 2011 Strategic <strong>Security</strong> Survey: CEOs Take Notice Report. InformationWeek Analytics. Report<br />
ID: R2130511.<br />
3 Payment Card Industry Data <strong>Security</strong> St<strong>and</strong>ard (PCI DSS), version 2.0. October 2010. Requirement 6.1 (requires upto-date<br />
security patches within one month of release).<br />
https://www.pcisecurityst<strong>and</strong>ards.org/security_st<strong>and</strong>ards/documents.php.<br />
4 2012 Data Breach Investigations Report. Verizon. A study conducted by the Verizon RISK Team with cooperation<br />
from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting <strong>and</strong> Information <strong>Security</strong><br />
Service, Police Central e-Crime Unit, <strong>and</strong> United States Secret Service.<br />
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.<br />
5 National Vulnerability Database Common Vulnerabilities & Exposures (CVE) <strong>and</strong> Common Configuration Enumeration<br />
(CCE) Statistics Query Page. Data retrieved on April 17, 2012 from http://web.nvd.nist.gov/view/vuln/statistics.<br />
6 Quinn, S., Scarfone, K., Barnett, M., & Johnson, C. (July 2010). Guide to Adopting <strong>and</strong> Using the <strong>Security</strong> Content<br />
Automation Protocol (SCAP) Version 1.0: Recommendations of the National Institute of St<strong>and</strong>ards <strong>and</strong> Technology<br />
(NIST). Special Publication 800-117. http://csrc.nist.gov/publications/nistpubs/800-117/sp800-117.pdf.<br />
7 National Vulnerability Database. Data retrieved on April 17, 2012.<br />
8<br />
2012 Data Breach Investigations Report. Verizon.<br />
9 MacDonald, N. (July 20, 2010). Securely Using Windows 2000 After Support Ends. Gartner Research. ID Number<br />
G00205521.<br />
10 Silver, M., <strong>and</strong> MacDonald, N. (September 14, 2009). Plan for the End of Support of Windows 2000. Gartner<br />
Research. ID Number G00170059.<br />
11 The Protection <strong>and</strong> Operational Benefits of Agentless <strong>Security</strong> in <strong>Virtual</strong> Environments. (March 2012.) Osterman<br />
Research. (Interviewed Deep <strong>Security</strong> customers as research for the white paper.)<br />
12 Kolodgy, C. (November 2011). Worldwide Endpoint <strong>Security</strong> 2011-2015 Forecast <strong>and</strong> 2010 Vendor Shares. IDC. Doc<br />
# 231307.<br />
13<br />
Global <strong>Virtual</strong>isation <strong>Security</strong> Management Solutions Market 2010-2014 (February 21, 2011). Technavio.<br />
14<br />
Global Cloud <strong>Security</strong> Software Market 2010-2014 (2011). Technavio.<br />
TREND MICRO <br />
<strong>Trend</strong> <strong>Micro</strong> Incorporated is a pioneer in secure content <strong>and</strong> threat management. Founded in 1988, <strong>Trend</strong><br />
<strong>Micro</strong> provides individuals <strong>and</strong> organizations of all sizes with award-winning security software, hardware<br />
<strong>and</strong> services. With headquarters in Tokyo <strong>and</strong> operations in more than 30 countries, <strong>Trend</strong> <strong>Micro</strong> solutions<br />
are sold through corporate <strong>and</strong> value-added resellers <strong>and</strong> service providers worldwide. For additional<br />
information <strong>and</strong> evaluation copies of <strong>Trend</strong> <strong>Micro</strong> products <strong>and</strong> services, visit our Web site:<br />
www.trendmicro.com.<br />
TREND MICRO INC.<br />
U.S. toll free: +1 800.228.5651<br />
phone: +1 408.257.1500<br />
fax:+1408.257.2003<br />
www.trendmicro.com.<br />
©2012 by <strong>Trend</strong> <strong>Micro</strong> Incorporated. All rights reserved. <strong>Trend</strong> <strong>Micro</strong>, the <strong>Trend</strong> <strong>Micro</strong> t-ball logo, OfficeScan, <strong>and</strong> <strong>Trend</strong> <strong>Micro</strong> Control Manager are trademarks or registered trademarks of <strong>Trend</strong> <strong>Micro</strong><br />
Incorporated. All other company <strong>and</strong>/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice.<br />
[WPXX_Title_120328US]<br />
Page 13 of 13 | <strong>Trend</strong> <strong>Micro</strong> White Paper | Title Goes Here <strong>and</strong> Should be Same as the Cover